How bulletproof is your cloud? Part 4: Compliance

Welcome to the final edition of our four-part cloud series. So far, we’ve taken a look at how to find the right provider, one that: Has a customer-centric culture, is compatible with your organization, and provides stability in a sea of change.

Now, we turn our sights to compliance.

The best way to believe in something is to see it with your own eyes. The second-best way is to have someone you trust see it and give you a thumbs-up.

A Second Set of Eyes

Want to know whether your cloud services provider is actually delivering the software, SLAs, services and security it says it will?

Ask. If the answer you get isn’t codified in a contract or evidenced in a third-party report, be prepared to do some digging. Even if your provider is forthcoming with the information you ask for, the list of what it actually delivers is longer than you realize (trust me on this), so it may not make much sense for you to see it with your own eyes – contract, report or otherwise. Besides, you might miss something.

Auditors won’t.

Your trusted “second set of eyes” in the services world are the auditing agencies and the compliance reports to which they attest, such as SSAE16 SOC I, SOC II and III, PCI and ISO – reports your services provider should be familiar with. A SOC report in-hand goes a long way when it comes time for you to justify the integrity of outsourced services to your end users, IT staff, executives and those who are auditing your processes.

The bottom line: Never be afraid to ask. You need the answers and your cloud service providers (the ones who listen to their customers) will appreciate knowing the scope and extent of your compliance requirements.

My advice: Do this diligence before you ink a contract, even if you don’t have a current need for compliance with your provider. Most compliance attestation periods span six months or a year. Make it a point to request copies of your provider’s reports.

Successfully Managing Perpetual Newness

First and foremost, we have to understand what “new” entails. If I were to ask you to describe a new car, words like “shiny,” “efficient” and “cutting-edge technology” might come to mind. If I were to ask you to describe a new piece of software, though, you might say things like “unstable,” “buggy” and “no support.”

“New” has the potential to be all of these things – simultaneously exciting and filled with risk. Finally, we have identified something we can quantify and address – risk. If you fear…

…the software, service or platform will crash or become unavailable, make sure you have an uptime/availability SLA in your agreement with the provider

…you will get the run-around from provider support personnel, make sure you have a support response SLA in your agreement

…the service could be hacked and your sensitive data stolen, make sure there are stringent security, access and encryption control requirements detailed in your agreement

Building An Invincible Cloud

When it comes to the cloud, you’ve got choices. Thanks to the competitive landscape, many of these choices will measure up to the scalability, uptime, high availability, speed and security standards you require. In an otherwise flat-value-proposition landscape, there will be significant variation in quality and corresponding hefty costs associated with recovery from failed or short-term provider relationships.

Provided you make the right choices, these costs are avoidable, and that’s where it pays dividends to look for the anomalies of quality: Customer-centric culture, high compatibility, options for stability and a healthy compliance record.

Remember, “bulletproof” is as much about what a services provider stands for as what it advertises.

Simply put, it’s what’s holding up the armor that counts.

Thanks for reading this series.

Blog post originally appeared on